upgrade m-release-p: outputTimestamp auto-update

[hboutemy]

No description provided.

[joschi]

@hboutemy Thanks for your contribution!

Could you please elaborate what the change you're referring to is doing exactly?
project.build.outputTimestamp is set to the date of the first commit of this project and I don't see a reason to dynamically update it (given that the artifact can be identified by its version).

[hboutemy]

when you open a jar/zip file, you expect that the timestamp of the files in it represent the date at which the release was done, not an old date from the past when the project was created, isn't it?
that's why having maven-release-plugin updating the timestamp brings what people usually expect
but it's a pure choice: you can choose to remain with the first commit timestamp, it still works

[joschi]

@hboutemy Thanks for the explanation.

Seeing that you are a committer in the Maven Release plugin project, I want to thank you very much for your work! 👍

Is there any plan to release maven-release-plugin 3.0.0 anytime soon or is using the milestone version 3.0.0-M4 or 3.0.0-M5 recommended?

[hboutemy]

I must admit that we use the milestone numbering for a long time now, it's very stable, we should probably do a 3.0.0 but it's not planned yet...

[joschi]

when you open a jar/zip file, you expect that the timestamp of the files in it represent the date at which the release was done, not an old date from the past when the project was created, isn't it?

@hboutemy Thanks for your feedback! This would break reproducible builds, wouldn't it?

If I built the artifacts of the https://github.com/OpenAPITools/openapi-diff/tree/2.0.1 tag twice on a different time, it would result in different artifacts because the output timestamp of the files in the JARs are different, wouldn't it?

See #299 for a related discussion.

[hboutemy]

This would break reproducible builds, wouldn't it?

Reproducible Builds is about being reproducible: having a fixed value is reproducible.

the best proof I can show you that reproducibility works is https://github.com/jvm-repo-rebuild/reproducible-central#org.openapitools.openapidiff:openapi-diff-parent : I rebuilt your release and I got the same binaries than you

this is the result of you configuring outputTimestamp and using recent versions of plugins that I updated to support reproducible output when timestamp is defined: see all in https://maven.apache.org/guides/mini/guide-reproducible-builds.html

The guy from Arch Linux does not realize how things changed with the work I did in past 3 years :)

[joschi]

@hboutemy I'm not sure I understand the purpose of this pull request then.

When building OpenAPI Diff from this PR, the timestamps in the resulting artifacts (JAR files) is still the one we set to a fixed timestamp in the Maven POM via project.build.outputTimestamp.

# git diff HEAD..master
diff --git pom.xml pom.xml
index 581554a..b1ea9c3 100644
--- pom.xml
+++ pom.xml
@@ -277,7 +277,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-release-plugin</artifactId>
-                    <version>2.5.3</version>
+                    <version>3.0.0-M5</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

# ./mvnw -q -Prelease clean package -DskipTests -Dmaven.javadoc.skip -Dgpg.skip

# jar -tvf cli/target/openapi-diff-cli-2.0.1-SNAPSHOT.jar
     0 Tue Dec 12 00:39:30 CET 2017 META-INF/
    81 Tue Dec 12 00:39:30 CET 2017 META-INF/MANIFEST.MF
     0 Tue Dec 12 00:39:30 CET 2017 org/
     0 Tue Dec 12 00:39:30 CET 2017 org/openapitools/
     0 Tue Dec 12 00:39:30 CET 2017 org/openapitools/openapidiff/
     0 Tue Dec 12 00:39:30 CET 2017 org/openapitools/openapidiff/cli/
     0 Tue Dec 12 00:39:30 CET 2017 META-INF/maven/
     0 Tue Dec 12 00:39:30 CET 2017 META-INF/maven/org.openapitools.openapidiff/
     0 Tue Dec 12 00:39:30 CET 2017 META-INF/maven/org.openapitools.openapidiff/openapi-diff-cli/
   278 Tue Dec 12 00:39:30 CET 2017 logback.xml
  9343 Tue Dec 12 00:39:30 CET 2017 org/openapitools/openapidiff/cli/Main.class
  2952 Tue Dec 12 00:39:30 CET 2017 META-INF/maven/org.openapitools.openapidiff/openapi-diff-cli/pom.xml
    88 Tue Dec 12 00:39:30 CET 2017 META-INF/maven/org.openapitools.openapidiff/openapi-diff-cli/pom.properties

[hboutemy]

the new plugin version will only update the outputTimestamp when you'll do mvn release:prepare, when it updates project version in pom.xml
see for example apache/maven-jar-plugin@d37e995

[joschi]

the new plugin version will only update the outputTimestamp when you'll do mvn release:prepare, when it updates project version in pom.xml

Got it, that was the missing part. 😅

Thanks for your contribution!